Our News

FTC FINALIZES CHANGES TO HEALTH BREACH NOTIFICATION RULE

the changes are aimed to close gaps around hipaa and help healthcare organizations and consumers control the use of personal health information

Federal officials are making sweeping changes to regulations around digital health apps and platforms in an effort to combat data breaches and fill in the gaps around the health insurance portability and accountability act (hipaa).

The u.S. Federal trade commission (ftc) last week announced final changes to the health breach notification rule (hbnr), which requires vendors of personal health records (phr) and related entities that are not covered by hipaa to notify individuals, the ftc and, in some cases, the media of a breach of unsecured personally identifiable health data. The rule also requires third-party service providers to vendors of phrs and phr-related entities to notify such vendors and phr related entities following the discovery of a breach.

The changes aim to close loopholes caused by the proliferation of third-party apps and platforms in the digital health ecosystem and give both healthcare providers and consumers more control over the use and reliability of healthcare data.

“protecting consumers’ sensitive health data is a high priority for the ftc,” samuel levine, director of the ftc’s bureau of consumer protection, said in a press release. “with the increasing use of health apps and connected devices, the updated hbnr will ensure it keeps pace with changes in the health marketplace.”

The changes include:

  • revised definitions. several definitions were rewritten to include health apps and similar technologies not covered by hipaa. This includes redefining “phr identifiable health information” and adding new definitions for “covered healthcare provider” and “healthcare services or supplies.”
  • clarifying ‘breach of security.’ a “breach of security” will now include any unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.
  • revised definition of phr related entity. the definition of a “phr related entity” will now cover entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured phr identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as phr related entities.
  • clarifying multiple sources of phr identifiable health information: the final rule clarifies what it means for a personal health record to draw phr identifiable health information from multiple sources.
  • expanded use of electronic notification: the final rule authorizes the expanded use of e-mail and other electronic means of providing clear and effective notice to consumers of a breach.
  • expanded consumer notice content: the required content that must be provided in the notice to consumers has been expanded to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured phr identifiable health information as a result of a breach of security.
  • new timing requirements. for breaches involving 500 or more individuals, covered entities must notify the ftc at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security.
  • improved readability. the final rule also includes changes to improve the rule’s readability and promote compliance.
Source: Health Leaders Media Category: Uncategorized

Testimonials

View All
Advantage benefits group have proven to be one of the best at what they do! I thoroughly enjoy working with them. It is refreshing to find a company that is not only superb in their customer service, but also responsive, knowledgeable and organized in everything they do. Our company is...
Rose Bays
Holland Engineering, Inc.
In the almost 35 years I’ve been in Human Resources leadership positions – including stints with two Fortune 100 companies- I’ve never had the pleasure to work with a group of men and women like the ones at Advantage Benefits Group who so consistently meet and exceed our expectations in...
Dave Sawyer
Howard Miller
We have partnered with advantage benefits group since the company’s inception. Advantage does an excellent job as a ‘full service employee benefits agent’ providing us with value based/cost effective employee benefit solutions. They also do an outstanding job in the area of customer service – in fact, their staff refuses...
Tim J. Oeschger
Matcor Automotive Inc.
Our president's council spent a solid hour this week discussing health, dental, and vision options based on the work you and we have been working on since late last fall. The group found the materials presented to be informative and helpful, so they specifically asked that I share with you...
Jerry Scoby
Ferris State University